US9378348B2 - Adding biometric identification to the server security infrastructure for an enterprise service bus system - Google Patents

Adding biometric identification to the server security infrastructure for an enterprise service bus system Download PDF

Info

Publication number
US9378348B2
US9378348B2 US12/350,908 US35090809A US9378348B2 US 9378348 B2 US9378348 B2 US 9378348B2 US 35090809 A US35090809 A US 35090809A US 9378348 B2 US9378348 B2 US 9378348B2
Authority
US
United States
Prior art keywords
esb
biometric information
user
client
biometric
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active, expires
Application number
US12/350,908
Other versions
US20100175114A1 (en
Inventor
Mark Cameron Little
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Red Hat Inc
Original Assignee
Red Hat Inc
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Red Hat Inc filed Critical Red Hat Inc
Priority to US12/350,908 priority Critical patent/US9378348B2/en
Assigned to RED HAT, INC. reassignment RED HAT, INC. ASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: LITTLE, MARK CAMERON, DR.
Publication of US20100175114A1 publication Critical patent/US20100175114A1/en
Application granted granted Critical
Publication of US9378348B2 publication Critical patent/US9378348B2/en
Active legal-status Critical Current
Adjusted expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • G06F21/32User authentication using biometric data, e.g. fingerprints, iris scans or voiceprints
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0861Network architectures or network communication protocols for network security for authentication of entities using biometrical features, e.g. fingerprint, retina-scan
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0894Escrow, recovery or storing of secret information, e.g. secret key escrow or cryptographic key storage
    • H04L9/0897Escrow, recovery or storing of secret information, e.g. secret key escrow or cryptographic key storage involving additional devices, e.g. trusted platform module [TPM], smartcard or USB
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/321Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3226Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using a predetermined code, e.g. password, passphrase or PIN
    • H04L9/3231Biological data, e.g. fingerprint, voice or retina
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3271Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using challenge-response
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2115Third party

Definitions

  • Embodiments of the present invention relate to a method and system for security. Specifically, embodiments of the invention relate to adding a biometric identification to the client and server security infrastructure for an enterprise service bus system.
  • a service oriented architecture enables enterprises to integrate services, handle business events, and automate business processes more efficiently.
  • SOA links information technology resources, data, services, and applications.
  • An SOA can include an enterprise service bus (ESB).
  • An ESB is an event-driven and standards-based messaging engine that provides services for more complex architectures.
  • the ESB provides infrastructure that links together service and clients to enable distributed applications and processes.
  • an ESB can include one or more busses that logically interconnect available services and clients.
  • the ESB interconnects service and clients using different protocols such as hypertext transfer protocol, common object request broker architecture. JavaTM, file transfer protocol, and email.
  • ESB adds a layer of security to the connections using certificate exchange between the ESB client and ESB server ESB uses the security to allow/disallow ESB clients to ESB services.
  • FIG. 1 is a block diagram of one embodiment of ESB security system using biometric identification with certificates.
  • FIG. 2 is a block diagram of one embodiment of ESB security system using biometric identification with trusted third party biometric repository.
  • FIG. 3 is a flowchart of one embodiment of a process for accessing an ESB service using a certificate retrieved using a user's biometric information.
  • FIG. 4 is a flowchart of one embodiment of a process for accessing an ESB service using a user's biometric information and a trusted third party authenticator.
  • FIG. 5 is a block diagram of a biometric identifier that retrieves a certificate from a user's biometric information.
  • FIG. 6 is a block diagram of a biometric identifier that identifies a user with the user's biometric information and a trusted third party authenticator.
  • FIG. 7 is a diagram of one embodiment of a computer system for a biometric identifier.
  • the ESB security system authenticates a user of ESB services using the user biometric information.
  • an ESB client accesses the user's biometric information, such as the user's fingerprint information, iris characteristics, facial recognition, hand geometry, deoxyribonucleic acid properties, etc. via a biometric input module coupled to the ESB client.
  • the ESB client matches this biometric information with biometric information stored in a certificate database.
  • the certificate server can be local to the ESB client or stored on a certificate server that is remote from the ESB client. If the ESB client determines there is a match between the user's biometric information and the biometric information stored on the certificate database, the ESB client retrieves a certificate from the certificate database. With the retrieved certificate, the ESB client establishes a connection to the ESB and access ESB services.
  • the ESB client accesses the user's biometric information via a biometric input module coupled to the ESB client and sends this biometric information to an ESB server.
  • the ESB server receives the user's biometric information and attempts to authenticate the user based on the biometric information with a trusted third party authenticator.
  • the trusted third party authenticator sends back a message authenticating the user to the ESB server.
  • the ESB system establishes a connection with the ESB client and allows the ESB client to access ESB services.
  • FIG. 1 is a block diagram of one embodiment of ESB security system 100 using biometric identification with certificates.
  • ESB security system comprises client 102 communicating with ESB 106 to access service(s) 110 .
  • client 102 establishes a connection with ESB 106 using a public key certificate.
  • a public key certificate is an electronic document that incorporates a digital signature of a user to bind together a public key with the user's identity. This certificate is used to verify that the public key belongs to an individual.
  • client 102 identifies the user of client 102 to ESB 106 .
  • ESB 106 allows connection to none, some, or all of service(s) 106 .
  • ESB 106 allows the connection using ESB server 108 .
  • biometric information is information that describes or identifies a person based on physiological or behavioral characteristics.
  • physiological biometric information identifies a user based on the user's fingerprint, iris characteristics, facial recognition, hand geometry, deoxyribonucleic acid (DNA) properties, etc.
  • behavioral biometric information identifies a user based on the user's voice characteristics.
  • Client 102 comprises biometric identification module 104 , biometric input module 114 , and (optionally) certificate database 116 .
  • Biometric input module 114 is a module that acquires the user's biometric information.
  • biometric input module 114 is a fingerprint scanner, retinal scanner, facial recognition system, hand geometry recognition system, voice analyzer, DNA analyzer, etc.
  • Biometric identification module 104 access the user's biometric information from biometric input module 114 and determines if the user's biometric information matches biometric information known to client 102 . In one embodiment, biometric identification module 104 matches the user's biometric information with the biometric information stored in a certificate database 116 that is part of client 102 . In this embodiment, biometric identification module 104 queries certificate database 116 with the user's biometric information to determine if there is a match. If there is a match, certificate database 116 returns the stored certificate that corresponds to the user's biometric information. In one embodiment, certificate database 116 matches the biometric information to identify the user.
  • certificate database 116 matches the biometric information and some other information (name, user name, password, etc, and/or a combination thereof) to identify the user.
  • Client 102 uses this stored certificate to access service(s) 110 via ESB 106 via an ESB 106 access transport, such as hypertext transfer protocol, common object request broker architecture, JavaTM, file transfer protocol, and email.
  • This certificate can be used by client 102 to access some or all of the available service(s) 110 .
  • biometric identification module 104 queries certificate server 112 that is remote from client 102 with the user's biometric information to determine if there is a match. If there is a match, certificate server 112 returns the stored certificate that corresponds to the user's biometric information. Client 102 uses this stored certificate to access service(s) 110 via ESB 106 using one of the access transports listed above.
  • biometric identification module 104 acts as a bridge between biometric input module 114 that is part of client 102 and the certificate base security infrastructure of ESB 106 .
  • client 102 uses the existing ESB security infrastructure to bridge biometric information accessed by client 102 and the certificates used by ESB server to authenticate the user.
  • FIG. 2 is a block diagram of one embodiment of ESB security system 200 using biometric identification with trusted third party biometric authenticator 212 .
  • ESB security system comprises client 202 communicating with ESB 206 to access service(s) 210 .
  • client 202 establishes a connection with ESB 106 using a user's biometric information communicated between client 202 and server 208 . This biometric information is used to verify that user is allowed to access service(s) 210 .
  • ESB 206 allows connection to none, some or all of service(s) 206 .
  • Client 202 comprises biometric transmitting module 204 and biometric input module 214 .
  • biometric input module 214 is a module that acquires the user's biometric information.
  • biometric input module 214 is a fingerprint scanner, retinal scanner, facial recognition system, etc.
  • Biometric transmitting module 204 accesses the acquired biometric information and transmits the acquired biometric information to server 208 .
  • biometric transmitting module 204 embeds the biometric information in an ESB message.
  • client 202 receives a message from server 208 indicating whether the authentication based on the succeeded or not.
  • server 208 attempts to authenticate client 204 using this biometric information.
  • server 208 comprises biometric identifying module 214 .
  • Biometric identifying module 214 queries trusted third party authenticator 212 with the user's biometric information to determine if there is a match. If there is a match, trusted third party authenticator 212 sends an authenticate allowed message back to server 208 .
  • the authenticate allowed message is an ESB message.
  • server 208 embeds the biometric information in a Remote Authentication Dial In User Service (RADIUS) message.
  • RADIUS Remote Authentication Dial In User Service
  • server 208 uses the RADIUS protocol to authenticate client 204 using the user's biometric information.
  • Server 208 establishes a connection with client 202 and allows client 202 to access service(s) 210 .
  • trusted third party authenticator 212 is a system that stores biometric information and authenticates requests based on the stored biometric information.
  • trusted third party authenticator 212 can be a private or governmental party that compiles biometric information for uses in many different systems (ESB, etc.).
  • trusted third party authenticator 212 can be a bank, insurance company, etc.
  • FIG. 3 is a flowchart of one embodiment of a process 300 for accessing an ESB service using a certificate generated from a user's biometric information.
  • the process may be performed by processing logic that may comprise hardware (e.g., circuitry, dedicated logic, programmable logic, microcode, etc.), software (e.g., instructions run on a processing device to perform hardware simulation), or a combination thereof.
  • the process 300 is performed by a biometric identification module used in a client such as biometric identification module 104 of FIG. 1 .
  • process 300 begins with processing logic accessing the user's biometric information at block 302 .
  • process 300 accesses fingerprint information from a fingerprint scanner.
  • process 300 access other types of biometric information using a different type of system (retinal scanner facial recognition system, etc.).
  • process 300 determines if the user is a valid ESB user based on the accessed biometric information. In one embodiment, process 300 determines if the user is valid ESB user by matching the accessed biometric information with biometric information stored in a local certificate database as described with reference to FIG. 1 . In another embodiment, process 300 queries a remote certificate server using the accessed biometric information to determine if the user associated with the biometric information is allowed.
  • process 300 denies access to the ESB service(s) and the process ends at block 312 . However, if the user is a valid ESB user, process 300 generates a certificate at block 306 . In one embodiment, process 300 generates a certificate by retrieving the corresponding certificate from a local certificate database as described in reference to FIG. 1 . Alternatively, process 300 receives a certificate from a remote certificate server as described in reference to FIG. 1 .
  • process 300 establishes a connection between the client and the ESB server using the retrieved certificate.
  • Process 300 accesses the ESB service at block 310 .
  • process 300 accessed the user's biometric information to match and retrieve a certificate that is used to establish a secure connection with the ESB server.
  • a process can transmit the biometric information to the ESB server and have the ESB server authenticate the user with the received biometric information using a trusted third party authenticator.
  • FIG. 4 is a flowchart of one embodiment of a process 400 for authenticating a user with received biometric information and a trusted third party authenticator.
  • the process may be performed by processing logic that may comprise hardware (e.g., circuitry, dedicated logic, programmable logic, microcode, etc.), software (e.g., instructions run on a processing device to perform hardware simulation), or a combination thereof.
  • the process 400 is performed by a biometric identification module used in a server, such as biometric identifying module 216 of FIG. 1 .
  • process 400 begins with processing logic receiving biometric information of a user from a client at block 402 .
  • process 400 receive biometric information from client 202 that includes a biometric input module 214 that client 202 uses to access the user's biometric information.
  • process 400 requests authentication of a user from a third party authenticator using the received biometric information.
  • process 400 sends an authentication request to trusted third party authenticator 212 as described with reference to FIG. 2 .
  • process 400 sends an ESB message.
  • Process 400 determines if the user is a valid ESB user at block 406 .
  • process 400 determines if the user is valid ESB user by receiving an authentication allowed message from trusted third party authenticator 212 as described in reference to FIG. 2 above.
  • the authentication allowed message is an ESB message. If process 400 determines that the user is not allowed to access the ESB service(s), process 400 denies for the user's client access to the ESB service(s) at block 412 .
  • process 400 establishes a connection with client at block 408 . In one embodiment, establishes a connection to the ESR service(s). At block 410 , process 400 allows access to the ESB service(s).
  • FIG. 5 is a block diagram of a biometric identification module 500 that generates a certificate from a user's biometric information.
  • client biometric identification module 500 is biometric identification module 104 of client 102 in FIG. 1 above.
  • Biometric identification module 500 comprises biometric information accessing module 502 , authenticate module 504 , certificate retrieving module 506 , and client secure connection module 508 .
  • Biometric information accessing module 502 accesses biometric information that is generated using a biometric input module, such as biometric input module 114 of client 102 in FIG. 1 .
  • biometric information accessing module 502 accesses the biometric information as described in FIG. 3 , block 302 .
  • Authenticate module 504 uses the accessed biometric information to authenticate the user as described in FIG. 3 , block 304 .
  • Certificate retrieving module 506 retrieves the certificate for the user as described in FIG. 3 , block 306 .
  • Client secure module 508 establishes a connection using the generated certificates between client and an ESB server as described in FIG. 3 , block 308 .
  • FIG. 6 is a block diagram of a server biometric identifying module 600 that identifies a user with the user's biometric information and a trusted third party repository of biometric information.
  • server biometric identifying module 600 is biometric identifying module 214 of ESB server 208 in FIG. 1 above.
  • Server biometric identifying module 600 comprises biometric information receiver module 602 , authenticate request module 604 , authenticate receive module 606 , server connection module 608 , and server access module 608 .
  • Biometric information receiving module 602 receives biometric information that is generated using a biometric input module, such as biometric input module 214 of client 202 in FIG. 2 . In one embodiment, biometric information receiving module 602 receives the biometric information as described in FIG.
  • Authenticate request module 604 uses the received biometric information to request an authentication of the user as described in FIG. 4 , block 404 .
  • Authenticate receive module 406 receives the response to the authentication request and determines if the user is an valid ESB user as described in FIG. 4 , block 406 .
  • Server connection module 608 establishes a connection using between the ESB client and the ESB server as described in FIG. 4 , block 408 .
  • Server access module 610 allows access to ESB service(s) for the ESB client as described in FIG. 4 , block 410 .
  • FIG. 7 is a diagram of one embodiment of device 700 for biometric identification.
  • the machine may be connected (e.g., networked) to other machines in a LAN, an intranet, an extranet, or the Internet.
  • the machine can operate in the capacity of a server or a client machine (e.g., a client computer accessing ESB services using certificates retrieved using a user's biometric information and the server computer allowing access to ESB services based on biometric information and a trusted third party biometric repository) in a client-server network environment, or as a peer machine in a peer-to-peer (or distributed) network environment.
  • the machine may be a personal computer (PC), a tablet PC, a console device or set-top box (STB), a Personal Digital Assistant (PDA), a cellular telephone, a web appliance, a server, a network router, switch or bridge, or any machine capable of executing a set of instructions (sequential or otherwise) that specify actions to be taken by that machine.
  • PC personal computer
  • PDA Personal Digital Assistant
  • STB console device or set-top box
  • a cellular telephone a web appliance
  • server e.g., a server
  • network router e.g., switch or bridge
  • the exemplary device 700 includes a processing device 702 , a main memory 704 (e.g., read-only memory (ROM), flash memory, dynamic random access memory (DRAM) such as synchronous DRAM (SDRAM), etc.), a static memory 706 (e.g., flash memory, static random access memory (SRAM), etc.), and a secondary memory 716 (e.g., a data storage device in the form of a drive unit, which may include fixed or removable computer-readable storage medium), which communicate with each other via a bus 708 .
  • main memory 704 e.g., read-only memory (ROM), flash memory, dynamic random access memory (DRAM) such as synchronous DRAM (SDRAM), etc.
  • DRAM dynamic random access memory
  • SDRAM synchronous DRAM
  • secondary memory 716 e.g., a data storage device in the form of a drive unit, which may include fixed or removable computer-readable storage medium
  • Processing device 702 represents one or more general-purpose processing devices such as a microprocessor, central processing unit, or the like. More particularly, the processing device 702 may be a complex instruction set computing (CISC) microprocessor, reduced instruction set computing (RISC) microprocessor, very long instruction word (VLIW) microprocessor, processor implementing other instruction sets, or processors implementing a combination of instruction sets. Processing device 702 may also be one or more special-purpose processing devices such as an application specific integrated circuit (ASIC), a field programmable gate array (FPGA), a digital signal processor (DSP), network processor, or the like. Processing device 702 is configured to execute the ESB communication system 726 for performing the operations and steps discussed herein.
  • CISC complex instruction set computing
  • RISC reduced instruction set computing
  • VLIW very long instruction word
  • Processing device 702 may also be one or more special-purpose processing devices such as an application specific integrated circuit (ASIC), a field programmable gate array (FPGA), a digital signal processor (DSP), network
  • the device 700 may further include a network interface device 722 .
  • the device 700 also may include a video display unit 710 (e.g., a liquid crystal display (LCD) or a cathode ray tube (CRT)) connected to the computer system through a graphics port and graphics chipset, an alphanumeric input device 712 (e.g., a keyboard), a cursor control device 714 (e.g., a mouse), and a signal generation device 720 (e.g., a speaker).
  • a video display unit 710 e.g., a liquid crystal display (LCD) or a cathode ray tube (CRT)
  • an alphanumeric input device 712 e.g., a keyboard
  • a cursor control device 714 e.g., a mouse
  • a signal generation device 720 e.g., a speaker
  • the secondary memory 716 may include a machine-readable storage medium (or more specifically a computer-readable storage medium) 724 on which is stored one or more sets of instructions (e.g., the biometric identifier system 726 ) embodying any one or more of the methodologies or functions described herein.
  • the biometric identifier system 726 may also reside, completely or at least partially, within the main memory 704 and/or within the processing device 702 during execution thereof by the device 700 , the main memory 704 and the processing device 702 also constituting machine-readable storage media.
  • the biometric identifier system 726 may further be transmitted or received over a network 718 via the network interface device 722 .
  • the computer-readable storage medium 724 may also be used to store the biometric identifier system 726 persistently. While the computer-readable storage medium 726 is shown in an exemplary embodiment to be a single medium, the term “computer-readable storage medium” should be taken to include a single medium or multiple media (e.g., a centralized or distributed database, and/or associated caches and servers) that store the one or more sets of instructions. The terms “computer-readable storage medium” shall also be taken to include any medium that is capable of storing or encoding a set of instructions for execution by the machine and that cause the machine to perform any one or more of the methodologies of the present invention. The term “computer-readable storage medium” shall accordingly be taken to include, but not be limited to, solid-state memories, and optical and magnetic media.
  • modules 728 can be implemented as discrete hardware components or integrated in the functionality of hardware components such as ASICS, FPGAs, DSPs or similar devices.
  • the modules 728 can be implemented as firmware or functional circuitry within hardware devices.
  • the modules 728 can be implemented in any combination hardware devices and software components.
  • the present invention also relates to an apparatus for performing the operations herein.
  • This apparatus may be specially constructed for the required purposes or it may comprise a general purpose computer selectively activated or reconfigured by a computer program stored in the computer.
  • a computer program may be stored in a computer readable storage medium, such as, but not limited to, any type of disk including floppy disks, optical disks, CD-ROMs and magnetic-optical disks, read-only memories (ROMs), random access memories (RAMs), EPROMs, EEPROMs, magnetic or optical cards, Flash memory devices including universal serial bus (USB) storage devices (e.g., USB key devices) or any type of media suitable for storing electronic instructions, each of which may be coupled to a computer system bus.
  • USB universal serial bus
  • a computer-readable storage medium includes any mechanism for storing information in a form readable by a computer.
  • a computer-readable storage medium includes read only memory (“ROM”), random access memory (“RAM”), magnetic disk storage media; optical storage media, flash memory devices or other type of machine-accessible storage media.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Health & Medical Sciences (AREA)
  • Computer Hardware Design (AREA)
  • General Health & Medical Sciences (AREA)
  • General Engineering & Computer Science (AREA)
  • Biomedical Technology (AREA)
  • Theoretical Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • Life Sciences & Earth Sciences (AREA)
  • Biodiversity & Conservation Biology (AREA)
  • General Physics & Mathematics (AREA)
  • Software Systems (AREA)
  • Computing Systems (AREA)
  • Collating Specific Patterns (AREA)

Abstract

An enterprise service bus server receives a user's biometric information from a client. The enterprise service bus server requests authentication of the user by sending the user's biometric information to a trusted third party authenticator. Furthermore, the enterprise service bus server establishes a connection with the enterprise service bus client if the trusted third party authenticator indicates that the user is authenticated. In addition, the enterprise service bus server allows access to an enterprise service bus service for the enterprise service client.

Description

RELATED APPLICATIONS
This patent application is related to the co-pending U.S. patent application, entitled “Adding Biometric Identification To The Client Security Infrastructure For An Enterprise Service Bus System”, application Ser. No. 12/350,906, filed Jan. 8, 2009. The related co-pending application is assigned to the same assignee as the present application.
TECHNICAL FIELD
Embodiments of the present invention relate to a method and system for security. Specifically, embodiments of the invention relate to adding a biometric identification to the client and server security infrastructure for an enterprise service bus system.
BACKGROUND
A service oriented architecture (SOA) enables enterprises to integrate services, handle business events, and automate business processes more efficiently. For example, an SOA links information technology resources, data, services, and applications. An SOA can include an enterprise service bus (ESB). An ESB is an event-driven and standards-based messaging engine that provides services for more complex architectures. The ESB provides infrastructure that links together service and clients to enable distributed applications and processes. For example, an ESB can include one or more busses that logically interconnect available services and clients.
The ESB interconnects service and clients using different protocols such as hypertext transfer protocol, common object request broker architecture. Java™, file transfer protocol, and email. In addition, ESB adds a layer of security to the connections using certificate exchange between the ESB client and ESB server ESB uses the security to allow/disallow ESB clients to ESB services.
BRIEF DESCRIPTION OF THE DRAWINGS
The present invention is illustrated by way of example, and not by way of limitation, in the figures of the accompanying drawings in which like references indicate similar elements. It should be noted that different references to “an” or “one” embodiment in this disclosure are not necessarily to the same embodiment, and such references mean at least one.
FIG. 1 is a block diagram of one embodiment of ESB security system using biometric identification with certificates.
FIG. 2 is a block diagram of one embodiment of ESB security system using biometric identification with trusted third party biometric repository.
FIG. 3 is a flowchart of one embodiment of a process for accessing an ESB service using a certificate retrieved using a user's biometric information.
FIG. 4 is a flowchart of one embodiment of a process for accessing an ESB service using a user's biometric information and a trusted third party authenticator.
FIG. 5 is a block diagram of a biometric identifier that retrieves a certificate from a user's biometric information.
FIG. 6 is a block diagram of a biometric identifier that identifies a user with the user's biometric information and a trusted third party authenticator.
FIG. 7 is a diagram of one embodiment of a computer system for a biometric identifier.
DETAILED DESCRIPTION
The ESB security system authenticates a user of ESB services using the user biometric information. In particular, in one embodiment, an ESB client accesses the user's biometric information, such as the user's fingerprint information, iris characteristics, facial recognition, hand geometry, deoxyribonucleic acid properties, etc. via a biometric input module coupled to the ESB client. The ESB client matches this biometric information with biometric information stored in a certificate database. The certificate server can be local to the ESB client or stored on a certificate server that is remote from the ESB client. If the ESB client determines there is a match between the user's biometric information and the biometric information stored on the certificate database, the ESB client retrieves a certificate from the certificate database. With the retrieved certificate, the ESB client establishes a connection to the ESB and access ESB services.
In another embodiment, the ESB client accesses the user's biometric information via a biometric input module coupled to the ESB client and sends this biometric information to an ESB server. The ESB server receives the user's biometric information and attempts to authenticate the user based on the biometric information with a trusted third party authenticator. The trusted third party authenticator sends back a message authenticating the user to the ESB server. The ESB system establishes a connection with the ESB client and allows the ESB client to access ESB services.
FIG. 1 is a block diagram of one embodiment of ESB security system 100 using biometric identification with certificates. In FIG. 1, ESB security system comprises client 102 communicating with ESB 106 to access service(s) 110. In this embodiment, client 102 establishes a connection with ESB 106 using a public key certificate. A public key certificate is an electronic document that incorporates a digital signature of a user to bind together a public key with the user's identity. This certificate is used to verify that the public key belongs to an individual. Using the certificate, client 102 identifies the user of client 102 to ESB 106. Based on the certificate, ESB 106 allows connection to none, some, or all of service(s) 106. In one embodiment, ESB 106 allows the connection using ESB server 108.
Instead of client 102 just sending the certificate to ESB 106, client 102 uses a user's biometric information to identify the user to client 102. Once the user is identified, client 102 sends the user's certificate to ESB 106. As is known in the art, biometric information is information that describes or identifies a person based on physiological or behavioral characteristics. For example and in one embodiment, physiological biometric information identifies a user based on the user's fingerprint, iris characteristics, facial recognition, hand geometry, deoxyribonucleic acid (DNA) properties, etc. As another example and in another embodiment, behavioral biometric information identifies a user based on the user's voice characteristics.
Client 102 comprises biometric identification module 104, biometric input module 114, and (optionally) certificate database 116. Biometric input module 114 is a module that acquires the user's biometric information. For example, and in one embodiment, biometric input module 114 is a fingerprint scanner, retinal scanner, facial recognition system, hand geometry recognition system, voice analyzer, DNA analyzer, etc.
Biometric identification module 104 access the user's biometric information from biometric input module 114 and determines if the user's biometric information matches biometric information known to client 102. In one embodiment, biometric identification module 104 matches the user's biometric information with the biometric information stored in a certificate database 116 that is part of client 102. In this embodiment, biometric identification module 104 queries certificate database 116 with the user's biometric information to determine if there is a match. If there is a match, certificate database 116 returns the stored certificate that corresponds to the user's biometric information. In one embodiment, certificate database 116 matches the biometric information to identify the user. In another embodiment, certificate database 116 matches the biometric information and some other information (name, user name, password, etc, and/or a combination thereof) to identify the user. Client 102 uses this stored certificate to access service(s) 110 via ESB 106 via an ESB 106 access transport, such as hypertext transfer protocol, common object request broker architecture, Java™, file transfer protocol, and email. This certificate can be used by client 102 to access some or all of the available service(s) 110.
In an alternate embodiment, biometric identification module 104 queries certificate server 112 that is remote from client 102 with the user's biometric information to determine if there is a match. If there is a match, certificate server 112 returns the stored certificate that corresponds to the user's biometric information. Client 102 uses this stored certificate to access service(s) 110 via ESB 106 using one of the access transports listed above.
In both of the above embodiments of FIG. 1, biometric identification module 104 acts as a bridge between biometric input module 114 that is part of client 102 and the certificate base security infrastructure of ESB 106. Thus, in FIG. 1, client 102 uses the existing ESB security infrastructure to bridge biometric information accessed by client 102 and the certificates used by ESB server to authenticate the user.
In another embodiment, a client can establish a connection to access ESB services without using certificates and sending the biometric information to ESB. FIG. 2 is a block diagram of one embodiment of ESB security system 200 using biometric identification with trusted third party biometric authenticator 212. In FIG. 2, ESB security system comprises client 202 communicating with ESB 206 to access service(s) 210. Unlike in FIG. 1, in this embodiment, client 202 establishes a connection with ESB 106 using a user's biometric information communicated between client 202 and server 208. This biometric information is used to verify that user is allowed to access service(s) 210. Based on the biometric information, ESB 206 allows connection to none, some or all of service(s) 206.
Client 202 comprises biometric transmitting module 204 and biometric input module 214. As in FIG. 1, biometric input module 214 is a module that acquires the user's biometric information. For example, and in one embodiment, biometric input module 214 is a fingerprint scanner, retinal scanner, facial recognition system, etc. Biometric transmitting module 204 accesses the acquired biometric information and transmits the acquired biometric information to server 208. In one embodiment, biometric transmitting module 204 embeds the biometric information in an ESB message. In this embodiment, client 202 receives a message from server 208 indicating whether the authentication based on the succeeded or not.
In response to the transmitted biometric information, server 208 attempts to authenticate client 204 using this biometric information. In this embodiment, server 208 comprises biometric identifying module 214. Biometric identifying module 214 queries trusted third party authenticator 212 with the user's biometric information to determine if there is a match. If there is a match, trusted third party authenticator 212 sends an authenticate allowed message back to server 208. In one embodiment, the authenticate allowed message is an ESB message. In an alternate embodiment, server 208 embeds the biometric information in a Remote Authentication Dial In User Service (RADIUS) message. In this embodiment, server 208 uses the RADIUS protocol to authenticate client 204 using the user's biometric information. Server 208 establishes a connection with client 202 and allows client 202 to access service(s) 210.
In one embodiment, trusted third party authenticator 212 is a system that stores biometric information and authenticates requests based on the stored biometric information. For example and in one embodiment, trusted third party authenticator 212 can be a private or governmental party that compiles biometric information for uses in many different systems (ESB, etc.). Alternatively, trusted third party authenticator 212 can be a bank, insurance company, etc.
FIG. 3 is a flowchart of one embodiment of a process 300 for accessing an ESB service using a certificate generated from a user's biometric information. The process may be performed by processing logic that may comprise hardware (e.g., circuitry, dedicated logic, programmable logic, microcode, etc.), software (e.g., instructions run on a processing device to perform hardware simulation), or a combination thereof. In one embodiment, the process 300 is performed by a biometric identification module used in a client such as biometric identification module 104 of FIG. 1.
Referring to FIG. 3, process 300 begins with processing logic accessing the user's biometric information at block 302. In one embodiment, process 300 accesses fingerprint information from a fingerprint scanner. In alternative embodiments, process 300 access other types of biometric information using a different type of system (retinal scanner facial recognition system, etc.).
At block 304, process 300 determines if the user is a valid ESB user based on the accessed biometric information. In one embodiment, process 300 determines if the user is valid ESB user by matching the accessed biometric information with biometric information stored in a local certificate database as described with reference to FIG. 1. In another embodiment, process 300 queries a remote certificate server using the accessed biometric information to determine if the user associated with the biometric information is allowed.
If the user is not a valid ESB user, process 300 denies access to the ESB service(s) and the process ends at block 312. However, if the user is a valid ESB user, process 300 generates a certificate at block 306. In one embodiment, process 300 generates a certificate by retrieving the corresponding certificate from a local certificate database as described in reference to FIG. 1. Alternatively, process 300 receives a certificate from a remote certificate server as described in reference to FIG. 1.
At block 308, process 300 establishes a connection between the client and the ESB server using the retrieved certificate. Process 300 accesses the ESB service at block 310.
In FIG. 3, process 300 accessed the user's biometric information to match and retrieve a certificate that is used to establish a secure connection with the ESB server. As described in FIG. 2 above, a process can transmit the biometric information to the ESB server and have the ESB server authenticate the user with the received biometric information using a trusted third party authenticator.
FIG. 4 is a flowchart of one embodiment of a process 400 for authenticating a user with received biometric information and a trusted third party authenticator. The process may be performed by processing logic that may comprise hardware (e.g., circuitry, dedicated logic, programmable logic, microcode, etc.), software (e.g., instructions run on a processing device to perform hardware simulation), or a combination thereof. In one embodiment, the process 400 is performed by a biometric identification module used in a server, such as biometric identifying module 216 of FIG. 1.
Referring to FIG. 4, process 400 begins with processing logic receiving biometric information of a user from a client at block 402. In one embodiment, process 400 receive biometric information from client 202 that includes a biometric input module 214 that client 202 uses to access the user's biometric information.
At block 404, process 400 requests authentication of a user from a third party authenticator using the received biometric information. In one embodiment, process 400 sends an authentication request to trusted third party authenticator 212 as described with reference to FIG. 2. In one embodiment, process 400 sends an ESB message. Process 400 determines if the user is a valid ESB user at block 406. In one embodiment, process 400 determines if the user is valid ESB user by receiving an authentication allowed message from trusted third party authenticator 212 as described in reference to FIG. 2 above. In one embodiment, the authentication allowed message is an ESB message. If process 400 determines that the user is not allowed to access the ESB service(s), process 400 denies for the user's client access to the ESB service(s) at block 412.
If the user is a valid user, process 400 establishes a connection with client at block 408. In one embodiment, establishes a connection to the ESR service(s). At block 410, process 400 allows access to the ESB service(s).
FIG. 5 is a block diagram of a biometric identification module 500 that generates a certificate from a user's biometric information. In one embodiment, client biometric identification module 500 is biometric identification module 104 of client 102 in FIG. 1 above. Biometric identification module 500 comprises biometric information accessing module 502, authenticate module 504, certificate retrieving module 506, and client secure connection module 508. Biometric information accessing module 502 accesses biometric information that is generated using a biometric input module, such as biometric input module 114 of client 102 in FIG. 1. In one embodiment, biometric information accessing module 502 accesses the biometric information as described in FIG. 3, block 302. Authenticate module 504 uses the accessed biometric information to authenticate the user as described in FIG. 3, block 304. Certificate retrieving module 506 retrieves the certificate for the user as described in FIG. 3, block 306. Client secure module 508 establishes a connection using the generated certificates between client and an ESB server as described in FIG. 3, block 308.
FIG. 6 is a block diagram of a server biometric identifying module 600 that identifies a user with the user's biometric information and a trusted third party repository of biometric information. In one embodiment, server biometric identifying module 600 is biometric identifying module 214 of ESB server 208 in FIG. 1 above. Server biometric identifying module 600 comprises biometric information receiver module 602, authenticate request module 604, authenticate receive module 606, server connection module 608, and server access module 608. Biometric information receiving module 602 receives biometric information that is generated using a biometric input module, such as biometric input module 214 of client 202 in FIG. 2. In one embodiment, biometric information receiving module 602 receives the biometric information as described in FIG. 4, block 402. Authenticate request module 604 uses the received biometric information to request an authentication of the user as described in FIG. 4, block 404. Authenticate receive module 406 receives the response to the authentication request and determines if the user is an valid ESB user as described in FIG. 4, block 406. Server connection module 608 establishes a connection using between the ESB client and the ESB server as described in FIG. 4, block 408. Server access module 610 allows access to ESB service(s) for the ESB client as described in FIG. 4, block 410.
FIG. 7 is a diagram of one embodiment of device 700 for biometric identification. Within the device 700 is a set of instructions for causing the machine to perform any one or more of the methodologies discussed herein. In alternative embodiments, the machine may be connected (e.g., networked) to other machines in a LAN, an intranet, an extranet, or the Internet. The machine can operate in the capacity of a server or a client machine (e.g., a client computer accessing ESB services using certificates retrieved using a user's biometric information and the server computer allowing access to ESB services based on biometric information and a trusted third party biometric repository) in a client-server network environment, or as a peer machine in a peer-to-peer (or distributed) network environment. The machine may be a personal computer (PC), a tablet PC, a console device or set-top box (STB), a Personal Digital Assistant (PDA), a cellular telephone, a web appliance, a server, a network router, switch or bridge, or any machine capable of executing a set of instructions (sequential or otherwise) that specify actions to be taken by that machine. Further, while only a single machine is illustrated, the term “machine” shall also be taken to include any collection of machines (e.g., computers) that individually or jointly execute a set (or multiple sets) of instructions to perform any one or more of the methodologies discussed herein.
The exemplary device 700 includes a processing device 702, a main memory 704 (e.g., read-only memory (ROM), flash memory, dynamic random access memory (DRAM) such as synchronous DRAM (SDRAM), etc.), a static memory 706 (e.g., flash memory, static random access memory (SRAM), etc.), and a secondary memory 716 (e.g., a data storage device in the form of a drive unit, which may include fixed or removable computer-readable storage medium), which communicate with each other via a bus 708.
Processing device 702 represents one or more general-purpose processing devices such as a microprocessor, central processing unit, or the like. More particularly, the processing device 702 may be a complex instruction set computing (CISC) microprocessor, reduced instruction set computing (RISC) microprocessor, very long instruction word (VLIW) microprocessor, processor implementing other instruction sets, or processors implementing a combination of instruction sets. Processing device 702 may also be one or more special-purpose processing devices such as an application specific integrated circuit (ASIC), a field programmable gate array (FPGA), a digital signal processor (DSP), network processor, or the like. Processing device 702 is configured to execute the ESB communication system 726 for performing the operations and steps discussed herein.
The device 700 may further include a network interface device 722. The device 700 also may include a video display unit 710 (e.g., a liquid crystal display (LCD) or a cathode ray tube (CRT)) connected to the computer system through a graphics port and graphics chipset, an alphanumeric input device 712 (e.g., a keyboard), a cursor control device 714 (e.g., a mouse), and a signal generation device 720 (e.g., a speaker).
The secondary memory 716 may include a machine-readable storage medium (or more specifically a computer-readable storage medium) 724 on which is stored one or more sets of instructions (e.g., the biometric identifier system 726) embodying any one or more of the methodologies or functions described herein. The biometric identifier system 726 may also reside, completely or at least partially, within the main memory 704 and/or within the processing device 702 during execution thereof by the device 700, the main memory 704 and the processing device 702 also constituting machine-readable storage media. The biometric identifier system 726 may further be transmitted or received over a network 718 via the network interface device 722.
The computer-readable storage medium 724 may also be used to store the biometric identifier system 726 persistently. While the computer-readable storage medium 726 is shown in an exemplary embodiment to be a single medium, the term “computer-readable storage medium” should be taken to include a single medium or multiple media (e.g., a centralized or distributed database, and/or associated caches and servers) that store the one or more sets of instructions. The terms “computer-readable storage medium” shall also be taken to include any medium that is capable of storing or encoding a set of instructions for execution by the machine and that cause the machine to perform any one or more of the methodologies of the present invention. The term “computer-readable storage medium” shall accordingly be taken to include, but not be limited to, solid-state memories, and optical and magnetic media.
The modules 728, components and other features described herein (for example in relation to FIG. 1) can be implemented as discrete hardware components or integrated in the functionality of hardware components such as ASICS, FPGAs, DSPs or similar devices. In addition, the modules 728 can be implemented as firmware or functional circuitry within hardware devices. Further, the modules 728 can be implemented in any combination hardware devices and software components.
In the above description, numerous details are set forth. It will be apparent, however, to one skilled in the art, that the present invention may be practiced without these specific details. In some instances, well-known structures and devices are shown in block diagram form, rather than in detail, in order to avoid obscuring the present invention.
Some portions of the detailed descriptions above are presented in terms of algorithms and symbolic representations of operations on data bits within a computer memory. These algorithmic descriptions and representations are the means used by those skilled in the data processing arts to most effectively convey the substance of their work to others skilled in the art. An algorithm is here, and generally, conceived to be a self-consistent sequence of steps leading to a desired result. The steps are those requiring physical manipulations of physical quantities. Usually, though not necessarily, these quantities take the form of electrical or magnetic signals capable of being stored, transferred, combined, compared and otherwise manipulated. It has proven convenient at times, principally for reasons of common usage, to refer to these signals as bits, values, elements, symbols, characters, terms, numbers or the like.
It should be borne in mind, however, that all of these and similar terms are to be associated with the appropriate physical quantities and are merely convenient labels applied to these quantities. Unless specifically stated otherwise as apparent from the above discussion, it is appreciated that throughout the description, discussions utilizing terms such as “receiving, accessing,” “establishing,” “querying,” “sending,” “retrieving,” “allowing,” or the like, refer to the actions and processes of a computer system, or similar electronic computing device that manipulates and transforms data represented as physical (electronic) quantities within the computer system's registers and memories into other data similarly represented as physical quantities within the computer system memories, registers or other such information storage, transmission or display devices.
The present invention also relates to an apparatus for performing the operations herein. This apparatus may be specially constructed for the required purposes or it may comprise a general purpose computer selectively activated or reconfigured by a computer program stored in the computer. Such a computer program may be stored in a computer readable storage medium, such as, but not limited to, any type of disk including floppy disks, optical disks, CD-ROMs and magnetic-optical disks, read-only memories (ROMs), random access memories (RAMs), EPROMs, EEPROMs, magnetic or optical cards, Flash memory devices including universal serial bus (USB) storage devices (e.g., USB key devices) or any type of media suitable for storing electronic instructions, each of which may be coupled to a computer system bus.
The algorithms and displays presented herein are not inherently related to any particular computer or other apparatus. Various general purpose systems may be used with programs in accordance with the teachings herein or it may prove convenient to construct more specialized apparatus to perform the required method steps. The required structure for a variety of these systems will appear from the description below. In addition, the present invention is not described with reference to any particular programming language. It will be appreciated that a variety of programming languages may be used to implement the teachings of the invention as described herein.
A computer-readable storage medium includes any mechanism for storing information in a form readable by a computer. For example, a computer-readable storage medium includes read only memory (“ROM”), random access memory (“RAM”), magnetic disk storage media; optical storage media, flash memory devices or other type of machine-accessible storage media.
Thus, a method and apparatus for communicating ESB messages been described. It is to be understood that the above description is intended to be illustrative and not restrictive. Many other embodiments will be apparent to those of skill in the art upon reading and understanding the above description. The scope of the invention should, therefore, be determined with reference to the appended claims, along with the full scope of equivalents to which such claims are entitled.

Claims (10)

What is claimed is:
1. A method comprising:
receiving, by a processing device of a server, an enterprise service bus (ESB) message from an ESB client, wherein the ESB message comprises biometric information of a user;
sending, by the processing device, an ESB type message comprising a request to authenticate the user to an ESB-compliant trusted third party authenticator using only the user's biometric information and without using a certificate, wherein the ESB type message comprises the biometric information of the user, and wherein the ESB-compliant trusted third party authenticator is an ESB-compliant system that stores biometric information and authenticates the request in view of analyzing the biometric information of the user and at least a portion of the stored biometric information;
establishing, by the processing device, a connection between an ESB service and the client in response to the ESB-compliant trusted third party authenticator providing a responsive ESB message comprising an authentication allowed response which indicates that the user is authenticated in view of analyzing only the biometric information of the user and at least a portion of the stored biometric information; and
allowing, by the processing device, access by the ESB client to the ESB service without using a certificate, wherein access to the ESB service is determined in view of only the biometric information of the user.
2. The method of claim 1, wherein the biometric information is at least one of fingerprint information, retinal information, facial characteristics, hand geometry, voice characteristics, or deoxyribonucleic acid information.
3. The method of claim 1, wherein the user's biometric information is accessed from a biometric module operatively coupled to the ESB client and the biometric module is at least one of a fingerprint scanner, a facial recognition system, a hand geometry recognition system, a voice analyzer, or a DNA analyzer.
4. A non-transitory computer readable storage medium having instructions stored thereon that, when executed by a processing device, cause the processing device to:
receive, by the processing device, an enterprise service bus (ESB) message from an ESB client, wherein the ESB message comprises biometric information of a user;
send, by the processing device, an ESB type message comprising a request to authenticate the user to an ESB-compliant trusted third party authenticator using only the user's biometric information and without using a certificate, wherein the ESB type message comprises the biometric information of the user, and wherein the ESB-compliant trusted third party authenticator is an ESB-compliant system that stores biometric information and authenticates the request in view of analyzing the biometric information of the user and at least a portion of the stored biometric information;
establish, by the processing device, a connection between an ESB service and the client in response to the ESB-compliant trusted third party authenticator providing a responsive ESB message comprising an authentication allowed response which indicates that the user is authenticated in view of analyzing only the biometric information of the user and at least a portion of the stored biometric information; and
allow access by the ESB client to the ESB service without using a certificate, wherein access to the ESB service is determined in view of only the biometric information of the user.
5. The non-transitory computer readable storage medium of claim 4, wherein the biometric information is at least one of fingerprint information, retinal information, facial characteristics, hand geometry, voice characteristics, or deoxyribonucleic acid information.
6. The non-transitory computer readable storage medium of claim 4, wherein the biometric information of the user is accessed from a biometric module operatively coupled to the ESB client, and wherein the biometric module is at least one of a fingerprint scanner, a facial recognition system, a hand geometry recognition system, a voice analyzer, or a DNA analyzer.
7. A system comprising:
a memory to store instructions; and
a processing device, operatively coupled to the memory, the processing device to execute the instructions to:
receive an enterprise service bus (ESB) message from an ESB client, wherein the ESB message comprises biometric information of a user;
send an ESB type message comprising a request to authenticate the user to an ESB-compliant trusted third party authenticator using only the user's biometric information and without using a certificate, wherein the ESB type message comprises the biometric information of the user, and wherein the ESB-compliant trusted third party authenticator is an ESB-compliant system that stores biometric information and authenticates the request in view of analyzing the biometric information of the user and at least a portion of the stored biometric information;
establish, by the processing device, a connection between an ESB service and the client in response to the ESB-compliant trusted third party authenticator providing a responsive ESB message comprising an authentication allowed response which indicates that the user is authenticated in view of analyzing only the biometric information of the user and at least a portion of the stored biometric information; and
allow access by the ESB client to the ESB service without using a certificate, wherein access to the ESB service is determined in view of only the biometric information of the user.
8. The system of claim 7, wherein the biometric information is at least one of fingerprint information, retinal information, facial characteristics, hand geometry, voice characteristics, or deoxyribonucleic acid information.
9. The system of claim 7, wherein the biometric information of the user is accessed from a biometric device module coupled to the ESB client, and wherein the biometric device module is at least one of a fingerprint scanner, a facial recognition system, a hand geometry recognition system, a voice analyzer, or a DNA analyzer.
10. The system of claim 7, wherein the ESB-compliant trusted third party authenticator stores biometric information and authenticates requests in view of at least a portion of the biometric information.
US12/350,908 2009-01-08 2009-01-08 Adding biometric identification to the server security infrastructure for an enterprise service bus system Active 2030-09-05 US9378348B2 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
US12/350,908 US9378348B2 (en) 2009-01-08 2009-01-08 Adding biometric identification to the server security infrastructure for an enterprise service bus system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
US12/350,908 US9378348B2 (en) 2009-01-08 2009-01-08 Adding biometric identification to the server security infrastructure for an enterprise service bus system

Publications (2)

Publication Number Publication Date
US20100175114A1 US20100175114A1 (en) 2010-07-08
US9378348B2 true US9378348B2 (en) 2016-06-28

Family

ID=42312581

Family Applications (1)

Application Number Title Priority Date Filing Date
US12/350,908 Active 2030-09-05 US9378348B2 (en) 2009-01-08 2009-01-08 Adding biometric identification to the server security infrastructure for an enterprise service bus system

Country Status (1)

Country Link
US (1) US9378348B2 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10560476B2 (en) 2017-02-22 2020-02-11 International Business Machines Corporation Secure data storage system

Families Citing this family (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP2645275A1 (en) * 2012-03-30 2013-10-02 Gemalto SA Method, device and system for accessing a service
US11252150B2 (en) 2016-12-08 2022-02-15 Mastercard International Incorporated Systems and methods for smartcard biometric enrollment
US11153308B2 (en) * 2019-06-27 2021-10-19 Visa International Service Association Biometric data contextual processing
CN111800417A (en) * 2020-07-06 2020-10-20 中电万维信息技术有限责任公司 ESB-based unified identity authentication method

Citations (14)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6928546B1 (en) * 1998-05-14 2005-08-09 Fusion Arc, Inc. Identity verification method using a central biometric authority
US6934848B1 (en) 2000-07-19 2005-08-23 International Business Machines Corporation Technique for handling subsequent user identification and password requests within a certificate-based host session
US20060000891A1 (en) * 2004-07-01 2006-01-05 American Express Travel Related Services Company, Inc. System for biometric security using a smartcard
US20060036442A1 (en) * 2004-07-30 2006-02-16 Sbc Knowledge Ventures, L.P. Centralized biometric authentication
US7103778B2 (en) * 2000-08-31 2006-09-05 Sony Corporation Information processing apparatus, information processing method, and program providing medium
US20070094509A1 (en) * 2005-10-22 2007-04-26 Jiwei Wei System and method for security authentication
US20080095410A1 (en) * 2006-10-19 2008-04-24 I.Q.S Shalev Ltd. Biometric systems
US7366904B2 (en) 2001-10-18 2008-04-29 Electronics And Telecomunications Research Institute Method for modifying validity of a certificate using biometric information in public key infrastructure-based authentication system
US20090080708A1 (en) * 2007-09-24 2009-03-26 Accenture Smart identity system
US20090106558A1 (en) 2004-02-05 2009-04-23 David Delgrosso System and Method for Adding Biometric Functionality to an Application and Controlling and Managing Passwords
US20100088258A1 (en) * 2008-10-02 2010-04-08 Global Healthcare Exchange, Llc Dynamic intelligent objects
US8327436B2 (en) * 2002-10-25 2012-12-04 Randle William M Infrastructure architecture for secure network management with peer to peer functionality
US8448230B2 (en) * 2008-08-22 2013-05-21 International Business Machines Corporation System and method for real world biometric analytics through the use of a multimodal biometric analytic wallet
US8781923B2 (en) * 2001-01-19 2014-07-15 C-Sam, Inc. Aggregating a user's transactions across a plurality of service institutions

Patent Citations (15)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6928546B1 (en) * 1998-05-14 2005-08-09 Fusion Arc, Inc. Identity verification method using a central biometric authority
US6934848B1 (en) 2000-07-19 2005-08-23 International Business Machines Corporation Technique for handling subsequent user identification and password requests within a certificate-based host session
US7103778B2 (en) * 2000-08-31 2006-09-05 Sony Corporation Information processing apparatus, information processing method, and program providing medium
US8781923B2 (en) * 2001-01-19 2014-07-15 C-Sam, Inc. Aggregating a user's transactions across a plurality of service institutions
US7366904B2 (en) 2001-10-18 2008-04-29 Electronics And Telecomunications Research Institute Method for modifying validity of a certificate using biometric information in public key infrastructure-based authentication system
US8327436B2 (en) * 2002-10-25 2012-12-04 Randle William M Infrastructure architecture for secure network management with peer to peer functionality
US20090106558A1 (en) 2004-02-05 2009-04-23 David Delgrosso System and Method for Adding Biometric Functionality to an Application and Controlling and Managing Passwords
US20060000891A1 (en) * 2004-07-01 2006-01-05 American Express Travel Related Services Company, Inc. System for biometric security using a smartcard
US20060036442A1 (en) * 2004-07-30 2006-02-16 Sbc Knowledge Ventures, L.P. Centralized biometric authentication
US8539249B2 (en) * 2005-10-22 2013-09-17 Huawei Technologies Co., Ltd. System and method for security authentication using biometric authentication technique
US20070094509A1 (en) * 2005-10-22 2007-04-26 Jiwei Wei System and method for security authentication
US20080095410A1 (en) * 2006-10-19 2008-04-24 I.Q.S Shalev Ltd. Biometric systems
US20090080708A1 (en) * 2007-09-24 2009-03-26 Accenture Smart identity system
US8448230B2 (en) * 2008-08-22 2013-05-21 International Business Machines Corporation System and method for real world biometric analytics through the use of a multimodal biometric analytic wallet
US20100088258A1 (en) * 2008-10-02 2010-04-08 Global Healthcare Exchange, Llc Dynamic intelligent objects

Non-Patent Citations (17)

* Cited by examiner, † Cited by third party
Title
"Authenticate," Webster's Third New International Dictionary, 2001, 1 page.
Advisory Action for U.S. Appl. No. 12/350,906 mailed Oct. 27, 2011.
Database "The American Heritage Dictionary of the English Language", Houghton Mifflin Company.
Final Office Action for U.S. Appl. No. 12/350,906 mailed Aug. 18, 2011.
Final Office Action for U.S. Appl. No. 12/350,906 mailed Jul. 18, 2012.
Final Office Action for U.S. Appl. No. 12/350,906 mailed Jul. 9, 2013.
Hinton et al., "Security Patterns within a Service-Oriented Architecture," http://www.ibm.com/developerworks/websphere/library/techarticles/0604-issw/rrlsoa.html, Nov. 2005, 19 pages. *
JBoss Enterprise SOA Platform, www.redhat.com/jboss, 2007, 5 pgs.
JBoss ESB 4.4 GA, Getting Started With JBoss ESB, JBESB-GS-8/5/08, 13 pgs.
JBoss ESB, What is an ESB?, http://www.jboss.org/jbossesb/resources/WhatIsAnESB.html, Dec. 16, 2008, 2 pgs.
JBoss Operations Network FAQ, http://www.redhat.com/f/pdf/JON2-faq.pdf, 2008, 2 pgs.
JBoxx ESB 4.4 GPA, Services Guide, http://www.jboss.org/jbossesb/docs/4.4.GA/manuals/pdf/ServicesGuide.pdf, JBESB-SG-8/5/08, 73 pgs.
King, Erik, "Perpetual Enterprise Management Service (PEMS) for C2 SOA Deployments", Jun. 14, 2005, 23 pages.
King, Erik, "Perpetual Enterprise Management Service (PEMS) for Next Generation SOA-based Command & Control Systems", Jun. 2005, 26 pages.
Non-Final Office Action for U.S. Appl. No. 12/350,906 mailed Dec. 20, 2011.
Non-Final Office Action for U.S. Appl. No. 12/350,906 mailed May 25, 2011.
Panhelainen, "Security in integration and Enterprise Service Bus (ESB)," Tieto Oy, 2008, available.

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10560476B2 (en) 2017-02-22 2020-02-11 International Business Machines Corporation Secure data storage system

Also Published As

Publication number Publication date
US20100175114A1 (en) 2010-07-08

Similar Documents

Publication Publication Date Title
US10728044B1 (en) User authentication with self-signed certificate and identity verification and migration
US20200236147A1 (en) Brokered authentication with risk sharing
US11973750B2 (en) Federated identity management with decentralized computing platforms
US11336632B2 (en) Composite user identities in distributed computing systems
US8489740B2 (en) Method and an apparatus to generate message authentication codes at a proxy server for validating a web session
US11405207B2 (en) Dynamic implementation and management of hash-based consent and permissioning protocols
US8656160B2 (en) Computer system authentication using security indicator
US8191123B2 (en) Provisioning a network appliance
US20100077467A1 (en) Authentication service for seamless application operation
US9118485B2 (en) Using an OCSP responder as a CRL distribution point
KR20100013207A (en) The method for authenticating device and service and the system thereof
US11611551B2 (en) Authenticate a first device based on a push message to a second device
US20180262471A1 (en) Identity verification and authentication method and system
US9378348B2 (en) Adding biometric identification to the server security infrastructure for an enterprise service bus system
WO2021107755A1 (en) A system and method for digital identity data change between proof of possession to proof of identity
US9419805B2 (en) Generating a CRL using a sub-system having resources separate from a main certificate authority sub-system
US9246908B2 (en) Adding biometric identification to the client security infrastructure for an enterprise service bus system
JP2012208855A (en) Identity confirmation system and identity confirmation method
US7844267B2 (en) Server for providing access by a communication terminal to a communication processing service
US20240143730A1 (en) Multi-factor authentication using blockchain
JP2001195373A (en) Agent execution device, agent management device, agent processing system, agent execution method and agent management method

Legal Events

Date Code Title Description
AS Assignment

Owner name: RED HAT, INC., NORTH CAROLINA

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:LITTLE, MARK CAMERON, DR.;REEL/FRAME:022094/0040

Effective date: 20090107

STCF Information on status: patent grant

Free format text: PATENTED CASE

MAFP Maintenance fee payment

Free format text: PAYMENT OF MAINTENANCE FEE, 4TH YEAR, LARGE ENTITY (ORIGINAL EVENT CODE: M1551); ENTITY STATUS OF PATENT OWNER: LARGE ENTITY

Year of fee payment: 4

MAFP Maintenance fee payment

Free format text: PAYMENT OF MAINTENANCE FEE, 8TH YEAR, LARGE ENTITY (ORIGINAL EVENT CODE: M1552); ENTITY STATUS OF PATENT OWNER: LARGE ENTITY

Year of fee payment: 8